General Info

File name

c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6

Full analysis
https://app.any.run/tasks/4b655b78-bef3-4b46-96e0-652d6ffb064e
Verdict
Malicious activity
Analysis date
7/18/2019, 01:13:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

sodinokibi

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5

b1967a82aa094de63128da050f90f2c8

SHA1

e77bdde00ff24edb5f3298c5361ccf172e3600fd

SHA256

c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6

SSDEEP

3072:AZPM0OGdUKV10OTed7/kBazzFbULfggkpFIC:AZPMnGZVyO6F/M4qbapFIC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Starts BCDEDIT.EXE to disable recovery
  • cmd.exe (PID: 3708)
Deletes shadow copies
  • cmd.exe (PID: 3708)
Sodinokibi ransom note found
  • rundll32.exe (PID: 2216)
Renames files like Ransomware
  • rundll32.exe (PID: 2216)
Dropped file may contain instructions of ransomware
  • rundll32.exe (PID: 2216)
Loads dropped or rewritten executable
  • WerFault.exe (PID: 4088)
  • rundll32.exe (PID: 2216)
Sodinokibi keys found
  • rundll32.exe (PID: 2216)
Executed as Windows Service
  • vssvc.exe (PID: 3044)
Creates files like Ransomware instruction
  • rundll32.exe (PID: 2216)
Creates files in the program directory
  • rundll32.exe (PID: 2216)
Executed via COM
  • unsecapp.exe (PID: 3088)
Starts CMD.EXE for commands execution
  • rundll32.exe (PID: 2216)
Application launched itself
  • rundll32.exe (PID: 3764)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 3764)
Dropped object may contain TOR URL's
  • rundll32.exe (PID: 2216)
Application was crashed
  • rundll32.exe (PID: 3764)
Loads main object executable
  • rundll32.exe (PID: 3764)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (43.5%)
.exe
|   Win32 Executable (generic) (29.8%)
.exe
|   Generic Win/DOS Executable (13.2%)
.exe
|   DOS Executable Generic (13.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:07:08 16:33:00+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
44544
InitializedDataSize:
123392
UninitializedDataSize:
null
EntryPoint:
0x3dd7
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
08-Jul-2019 14:33:00
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
08-Jul-2019 14:33:00
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0000AC44 0x0000AE00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.54199
.rdata 0x0000C000 0x00002B5C 0x00002C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.89161
.data 0x0000F000 0x0000E690 0x0000E400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.99241
.z4p395l 0x0001E000 0x0000C800 0x0000C800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.06588
.reloc 0x0002B000 0x000005F8 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.65359
Resources

No resources.

Imports
    KERNEL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
49
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start rundll32.exe #SODINOKIBI rundll32.exe werfault.exe no specs unsecapp.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3764
CMD
"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6.dll", DllMain
Path
C:\Windows\System32\rundll32.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226356
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\webio.dll
c:\windows\system32\sechost.dll
c:\windows\system32\winmm.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
2216
CMD
"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6.dll, DllMain
Path
C:\Windows\System32\rundll32.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\winmm.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cryptsp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

PID
4088
CMD
C:\Windows\system32\WerFault.exe -u -p 3764 -s 612
Path
C:\Windows\system32\WerFault.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Problem Reporting
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\c20e4249716805ab2c8645de65874797a2671ae16a30b9f1625ceb5f4bdd3ae6.dll
c:\windows\system32\dbgeng.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\winmm.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
3088
CMD
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Path
C:\Windows\system32\wbem\unsecapp.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Sink to receive asynchronous callbacks for WMI client application
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3708
CMD
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\vssadmin.exe

PID
3476
CMD
vssadmin.exe Delete Shadows /All /Quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll

PID
3044
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

PID
1372
CMD
bcdedit /set {default} recoveryenabled No
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
1476
CMD
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Registry activity

Total events
141
Read events
125
Write events
16
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2216
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\QtProject\OrganizationDefaults
pvg
76DB3D58EF8917CDB5D1BE5298500848DB863C77FD68FCA4133270567D186848
2216
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\QtProject\OrganizationDefaults
sxsP
5E334296AC0EE9E40F3CE78B2F29AFF4B89BB08CAC04DFBDF51EBF845403E26F
2216
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\QtProject\OrganizationDefaults
BDDC8
7AF301EE749B5567ABA8F9EF2105A50F0879A2CCDFFFC877DC0496ED566BC3100A5A2C7B79D64E83EDE6142D117D83FB6BC0BF531F65908A84F486857EA288AD861132666E5C97670DF131C33B07546BC09A102FDD0FBDEC
2216
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\QtProject\OrganizationDefaults
f7gVD7
32AB2F804CCB9FA2913DEEB00E25CD0241D2DACA240D54B83D2DF4407F7E7BBB9A3391C2723E88D95EBBA89AB9FDCC268CE023EC9B1BDAE19484CCD8BB5A43311402281FD1BDF0B089D60A7E2C2C7E42A5F1F6EA30CB7849
2216
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\QtProject\OrganizationDefaults
Xu7Nnkd
.5f9na
2216
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\QtProject\OrganizationDefaults
sMMnxpgk
DEA05FA2698686D002B0223B1D322AC27E1AE4C1773712A56CF04F92F8A85126DE1FF3856ACFFC7A1CABC4A16910A19E643DDBEE487576A8F70230F2E9968A89A65E539B1D58D7171F3BAC7FFE2127314237046D1B3BF6BC9DACE4F4F3BDA435C897696FFAB72E067FFCDF112C9E749DAF25AF0AB1B593D96774719C0BEC9CFC7F622056585C01106B4BC894604D665608256AC70E4C053BAF39F95ED2ECB1C8801053F7CDD65653893E5E4ECDD0AD07B9C54237BAA366D96AC6BAD2364DBCA50CBD3E60CF9703E0A7AC753026C5BF6853D6B303B6A737895A6C4DF2ED6E8CC86893DF2734019F6EAC1A9F3AA6F4D8F19C227AF1712631DA43B4F5A241392639A7E851E8D39DA2CA3FEC814301639F2EACAEA1ECE46D16B5D8125C895C85C805BA3596DDBC08715993A0AC48717930DA624EC4A19748E414D92A92225E28D2010E87F99FA11846E31882DC2005C94D514E8488A699684747EF8DB3BAB6E1710B35AC08ABB19914937F2BF470F83C2DFB2B07286142A18EE55BC251F2667AB4D091C94033FF6E6E911CB9B1C23574833F59409A846F5DC4EAB3496B8893EBD3425413981B21E3934FCD41199E0335388512B84FE2007B502B87A7722512DECECE09D68396F001C6F08D7D0FE2AE1340E791193352E9274F1688A120DCE75B692906CA80EBD39DF4071FC4645AA45E4F7CA33E31E60E7C17BAA2ECFF7F1BBC75694752FDF68992F08D0AAC79F51DA1437DA140618CCE1AEB8DA713182F38B7109785F2DA69C7BDF1B921D686E77AEC8BEE02CE445D4693E4BEE01F4604BB7C9EC6562E0FDF8BAE96C6D6A66F7C24FC62A8FFABE09D5F3BEC2331B280201DF22E7B2447538CF43070504EBDCE081748E627CB4941634FC3EED803A2BEC4707C8BB874B6AFD587AD75EBF94735F7DBC86E8BAB774B9CACEF130B07DB63A7B09D6263A4E60F11ABB2A2788AD54B4BA987E300AD275E623646D780E74F0AA339E7389ED9C63D458B4ECE7F7621FF4B5A5F884F8884CE00CC38169C1B2CFD05BC5BB41ABB0C98679287AC1EF43A9B7B2B92D50A7889118416128298BD99A5F294A41B8407251B6DB685715E1803F87CB41786E689F0A408CCCC1376AB27AC8EE48FC52D4176DE86D96C3FAFFA186296A8C9956FC89E9B4D64CE551912D9C84DDDB5CB43CE1DB277F7F65E5C858A1781AC6605275C38CC598A4FFA82BA593AB56F08B13FF94F84CB1AF1
2216
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2216
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1372
bcdedit.exe
write
HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009
Element
00
1476
bcdedit.exe
write
HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0
Element
0100000000000000

Files activity

Executable files
0
Suspicious files
164
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
4088
WerFault.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_c20_5baaa5f6d9d6d3bef95876fff0cbb68620ee2ec3_0ff61161\Report.wer
binary
MD5: 0f7043770804da3d8d3df0f744aeddf4
SHA256: 0c48891a4520193d53cc1470cc33b8f05ccf9bb634bd778ffa7f5cd5c257b8b0
2216
rundll32.exe
C:\Users\admin\Searches\Everywhere.search-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\onenote notebooks\personal\Unfiled Notes.one.5f9na
binary
MD5: e3b74194c91a0fd77f80da5da441c609
SHA256: 9edbfbd02b449ac40b957239ffee390b6a0f9c99573228e789999f336ddd96cb
2216
rundll32.exe
c:\users\admin\documents\onenote notebooks\personal\Open Notebook.onetoc2.5f9na
binary
MD5: cb34c8f0ca140fa32718890dad5c0b1b
SHA256: 87acc86298e0b246fd14abea58008c2ba7588bbbf42b32d44cdb0dcb860fde99
2216
rundll32.exe
c:\users\admin\documents\onenote notebooks\personal\General.one.5f9na
binary
MD5: a4c717cae0ec8cc1203063c8df3d8670
SHA256: cd7a2b61405e8686852dbb8e39097251d055a2b62fc0a9b832aa55d85a427525
2216
rundll32.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\videos\sample videos\Wildlife.wmv.5f9na
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\recorded tv\sample media\win7_scenic-demoshort_raw.wtv.5f9na
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Tulips.jpg.5f9na
binary
MD5: 79416c9e4401b8ad54e40d202940b893
SHA256: 2d9567fe1f965c2070b5232bac7587470cf781b18a8a874ff7cdef0bc6459196
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Penguins.jpg.5f9na
binary
MD5: 450c9dae9e6f402789dbd82f40f93eda
SHA256: 9c0db16821dee05bbd732b438bb0e5ed27de562985e7d368d304805341095391
2216
rundll32.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Koala.jpg.5f9na
binary
MD5: c75b810a13a7d00f79d366efbf98a0a4
SHA256: 45fa7609abf05c783fe5b6f56ed745d76b8c183e14f03938289c6b1aa893e38e
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Lighthouse.jpg.5f9na
binary
MD5: 95d904ced82a61cd00eb3edf9a55ddb7
SHA256: 72d6e866cfeb400b81007317b377fdf659a4055e6a3942e7327a869dcd74cc88
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Jellyfish.jpg.5f9na
binary
MD5: 498e2d2a27c95baf6b24add3ab91c7e6
SHA256: 1a6488101aaf7dc922f5fc5c91649f9cca1fe86a198801065bbc6d2ee41f18d0
2216
rundll32.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Hydrangeas.jpg.5f9na
binary
MD5: 0dc5c3f3560001a39841bfcfe25016c4
SHA256: c86a4abfdc899c1b1f1aa77882aa397d686e24dd5c3edbbd1e79ef80073e65e6
2216
rundll32.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Desert.jpg.5f9na
binary
MD5: 1cd233d4b1d25d751c4c74f8d616cb27
SHA256: a724437cf09c8a5878ca40b897e953b9702e860afd7ade94a298eb149443ef47
2216
rundll32.exe
c:\users\public\pictures\sample pictures\Chrysanthemum.jpg.5f9na
binary
MD5: 160b16b2d5c78a0876744c32c15d5932
SHA256: e98d0cae0268f917f7194a863f7a24c2fea6ed92f4ec7f494050129e2f124124
2216
rundll32.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\music\sample music\Sleep Away.mp3.5f9na
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\public\music\sample music\Maid with the Flaxen Hair.mp3.5f9na
binary
MD5: d6b95646a337a1c4a9751901144735ef
SHA256: 9464d99913b9dc5d6037eff08c8b41edaf21b4f7c720f9b9e31e2e2786f66e91
2216
rundll32.exe
c:\users\public\music\sample music\Kalimba.mp3.5f9na
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\favorites\windows live\Windows Live Spaces.url.5f9na
binary
MD5: 3815bc85fbd715274c1c17f9140886df
SHA256: f395978a5fcde0be795d265fc30fdc81782db3d8520a34f234c92d6fee73c0b9
2216
rundll32.exe
c:\users\administrator\favorites\windows live\Windows Live Mail.url.5f9na
binary
MD5: 851a92391ffb582a79c19a869ee7e155
SHA256: 024a4e90940968bbfd4c2d526b28cf968167eee41c0e28fd2ec073b8f5dea9a0
2216
rundll32.exe
c:\users\administrator\favorites\windows live\Windows Live Gallery.url.5f9na
binary
MD5: 48b23a28bd562da2678d4e2f5121db59
SHA256: 26beeb2d3b22bd89d08489d8f8f52fa1acb2d6fe84b408046350514f3de1ae16
2216
rundll32.exe
c:\users\administrator\favorites\windows live\Get Windows Live.url.5f9na
binary
MD5: c1a62a1236f55a8ffa3da5babf99d4e0
SHA256: 7bb1032f35c4a5461b3c0ac3f5d2970b765bec5f35e17f7033a5e0f769ecb23e
2216
rundll32.exe
c:\users\administrator\favorites\msn websites\MSNBC News.url.5f9na
binary
MD5: 6fd1c3ddcd365c343080b57502d5b122
SHA256: 6032f6282154bdb596ad63c9164c4650e604803ae4224c38d8e2248341ee52b3
2216
rundll32.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\favorites\msn websites\MSN.url.5f9na
binary
MD5: a998f862f14f399ef6fed0d7d7a10603
SHA256: b3fffde3d7bf05d35d59569438cb94d89ad0e141cc4d61290685dab361679026
2216
rundll32.exe
c:\users\administrator\favorites\msn websites\MSN Sports.url.5f9na
binary
MD5: b9d78dd1ee3e9824dbc17cfb68401643
SHA256: af6484ab37a144a019870fcf4174cbeb29fe04cdf3dc7d3088b8bff4c23a5b95
2216
rundll32.exe
c:\users\administrator\favorites\msn websites\MSN Money.url.5f9na
binary
MD5: 34a8f640616d72ef3155f7e3c22f333e
SHA256: f15052ae74679977fc8b7dc023e8b0e39157e2e416463bc869a75e966f1bef4a
2216
rundll32.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\favorites\msn websites\MSN Entertainment.url.5f9na
binary
MD5: b5167839d09cebb31f8a921eba3a9b4c
SHA256: 402be6b19ebf8d821288a3002c384557acc35c631fedbc0320740106c1385aef
2216
rundll32.exe
c:\users\administrator\favorites\msn websites\MSN Autos.url.5f9na
binary
MD5: 7c26fe96890e1b6641280e7389ca9e31
SHA256: 2cc1412b673dcc5c32a9aa71840cb114c1b00cf50f0ec44f7f1d963741d907fc
2216
rundll32.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\favorites\microsoft websites\Microsoft Store.url.5f9na
binary
MD5: 57b06a6aa56d738b39c2d07606c99867
SHA256: 7357c70c7b3540bd8a30a0cb3a8a2f2cf72d9ef7155359e6dc5cc878fa143d8e
2216
rundll32.exe
c:\users\administrator\favorites\microsoft websites\Microsoft At Work.url.5f9na
binary
MD5: da0acca12570c85c40bea4445ad3fa31
SHA256: 5c0b20fbbc835901393ecc953737eba1a0c0342e524d0d36b7be5bc215dcd8f1
2216
rundll32.exe
c:\users\administrator\favorites\microsoft websites\Microsoft At Home.url.5f9na
binary
MD5: 24e42bc9b40becd2af2332f3fa4e0606
SHA256: 6d320bacd0303e93008ad383613f2af6fb34c96f5f345fdcc3376824df974266
2216
rundll32.exe
c:\users\administrator\favorites\microsoft websites\IE site on Microsoft.com.url.5f9na
binary
MD5: c8d08eb208e6b11fdd6beee27aa9afca
SHA256: 627753cd34f1981dff545a40d7a24b6290cd5b187e44fe2f134b998b4b03ed1c
2216
rundll32.exe
c:\users\administrator\favorites\microsoft websites\IE Add-on site.url.5f9na
binary
MD5: c51f8b6b537cb4959cac6fb0926df86e
SHA256: 2a1f0bbb90b6190111e52eabef7b8d74c727ce76e119edc60c3ecb2741b36f4c
2216
rundll32.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\favorites\links for united states\USA.gov.url.5f9na
binary
MD5: aba758de9b14ebde62302cd8023ccf99
SHA256: b1d0123fbe464bf55a8f28d37afe08d85d0b9213867fe354f3559fd8d81fd6ae
2216
rundll32.exe
c:\users\administrator\favorites\links for united states\GobiernoUSA.gov.url.5f9na
binary
MD5: c0cf65beef919d4a8636cdf0ea47fa74
SHA256: 4726b547f493589e92339376201630f5cd857bd57e33b0732ec61fae99a215fa
2216
rundll32.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\favorites\links\Web Slice Gallery.url.5f9na
binary
MD5: 4f70ccd8c054509d0f0c776cdc7d2aae
SHA256: d50d84889881903604927ae4d1d2487582affbffe16a61e89e5933a6b6c92161
2216
rundll32.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\windows live\Windows Live Spaces.url.5f9na
binary
MD5: 72436e30b959820dd8c89a52557668ea
SHA256: 66185d47613abee319e1401595ad2724f5430e04869de282a26e03c7ed1afb46
2216
rundll32.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\windows live\Windows Live Mail.url.5f9na
binary
MD5: 69b7453fcbd4aedfc3c067598f887f4e
SHA256: 9413af8b65bbed3d7a074feff8daaf52d686d12640e98bb7ea1b30e2e3e979f4
2216
rundll32.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\windows live\Windows Live Gallery.url.5f9na
binary
MD5: ef9ae807b8a630821a4bba3b14b2a78a
SHA256: bb3ec4c0b4b62dc23d5a4cf2028f811ff0c2bf7bcbf8732d4aa893d60bacc49b
2216
rundll32.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\windows live\Get Windows Live.url.5f9na
binary
MD5: 62683fd32da25d0c30e98c27d3535691
SHA256: 49a453016b31aaf8a571eb4f32c9b27e9a18407e6d2e7f4e6eeb6899bf8cae7a
2216
rundll32.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\msn websites\MSNBC News.url.5f9na
binary
MD5: fcd80ecab99c45c56d9eaae5569a7815
SHA256: 337fbebf8d07401a5a90ac0fbdbca1c5fc06c106f916e67c9cbe95088b92f1ba
2216
rundll32.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\msn websites\MSN.url.5f9na
binary
MD5: 856f68369732a1fa40cc271b8ff14059
SHA256: 7c0b38201ed3d00f7b30872fbb85990fa3deccafd7b1b9fd589ecd2512781bcd
2216
rundll32.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\msn websites\MSN Sports.url.5f9na
binary
MD5: 7be4e187a4d43adb7711fd5c36893670
SHA256: da38f62388a84e1f6c219cf4590ad93d448b701a20f54b4f33f41c41055409a0
2216
rundll32.exe
c:\users\admin\favorites\msn websites\MSN Money.url.5f9na
binary
MD5: 6fc9fc6d30f0fc5f8d9c6c18af57a666
SHA256: c12145fe7733a837ff8a6b2980b6772bac459a75a586279355d4c4168bcafe35
2216
rundll32.exe
c:\users\admin\favorites\msn websites\MSN Entertainment.url.5f9na
binary
MD5: b7f24d6974acb5874d75d8a378ae94c9
SHA256: b90ad6ba0cb045fc75b817e0241266dfbef8cd2427d505630b0976d2e42c874c
2216
rundll32.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\msn websites\MSN Autos.url.5f9na
binary
MD5: 6be76c3a1613475e2ee2cadb66d1380f
SHA256: 7fa4910f66882f63d3dc72621c4648d5d8ed5b7a5363a53e812a0d78432dcfb1
2216
rundll32.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\microsoft websites\Microsoft Store.url.5f9na
binary
MD5: 30d744d232e8bb6ef70bbeda9b870097
SHA256: a43992b4789c19dbe3396b9bcfa585f2dd7aa298509f0f00ae150691146c2f4d
2216
rundll32.exe
c:\users\admin\favorites\microsoft websites\Microsoft At Work.url.5f9na
binary
MD5: 9e62b8c5e15306828d070a60b937c39b
SHA256: badde62defb0e1199ec3734dccc3e625d7d3fbfb3a91fd781d1b7d2cdaeba55a
2216
rundll32.exe
c:\users\admin\favorites\microsoft websites\Microsoft At Home.url.5f9na
binary
MD5: 157c5096205b1ca12e1ac9930fff48e8
SHA256: 940386b90e2337a58a70c4e17a565ffdcb0213e4cc5bcedfbbbcbd826679414b
2216
rundll32.exe
c:\users\admin\favorites\microsoft websites\IE site on Microsoft.com.url.5f9na
binary
MD5: 16aaf2832b80827d3b8cc42a859b0276
SHA256: 58759fde74fda897103a358b736d262276f196da62226e27dfdbe1771c858c28
2216
rundll32.exe
c:\users\admin\favorites\microsoft websites\IE Add-on site.url.5f9na
binary
MD5: 6d750e1fa3cb2bd876eb49dcb360c5d3
SHA256: 3cbdbbe36b081bf427941755c52b900fd35c0fd3c7d21b709491a5e19a57dd23
2216
rundll32.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\links for united states\USA.gov.url.5f9na
binary
MD5: dd14776eedd433d11965a437b4b1b4fe
SHA256: 996e32719f9c2ad0d3c5cabd073f1a7a3202d42c317350ae63613b4d3aadd3f6
2216
rundll32.exe
c:\users\admin\favorites\links for united states\GobiernoUSA.gov.url.5f9na
binary
MD5: 2cae4d08b4ca7a097ed8eb767e992067
SHA256: bca7dd606cbfcecf6a2b5190afab48f94153ca55a57780cf050602dfd5f16652
2216
rundll32.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\favorites\links\Web Slice Gallery.url.5f9na
binary
MD5: 066eab7de986722be18cc158726695d4
SHA256: 9e1f7a06b75a2cc8000cffb263c369543f38a62c3822df7ebda727007de066ea
2216
rundll32.exe
c:\users\admin\favorites\links\Suggested Sites.url.5f9na
binary
MD5: 163b5da68d16212b8087984b9e308b26
SHA256: ef55d6431be6fda7b983217d2897be00ae006169ddf989193bafbd25999ad982
2216
rundll32.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\outlook files\~Outlook.pst.tmp.5f9na
binary
MD5: 9068a98462293cdc2a6eeb2d00cfdc52
SHA256: e931cfe943d02b6acdc9bd00a1e8c2464fac6a6fdf814ffe7dcd615b3fa32952
2216
rundll32.exe
c:\users\admin\documents\outlook files\Outlook.pst.5f9na
binary
MD5: cba67348eaa59a944497f68ac233c79f
SHA256: fe3d8cf304f5d6627a0e06dc841ff6b5c532eeb74255880cb60d0bb4febe4baa
2216
rundll32.exe
c:\users\admin\documents\outlook files\Outlook Data File - test.pst.5f9na
binary
MD5: 15bd13ddcd439061f65953c199b89e73
SHA256: 59a1c8c00123feb8ac4b6343a2fd6d1e94290b5a944b1c901e244ac9e335e804
2216
rundll32.exe
c:\users\admin\documents\outlook files\Outlook Data File - NoMail.pst.5f9na
binary
MD5: 9ed5cdb159d4407f09a91dd27f12a9c1
SHA256: d6679ed6636ebdb5dadfda61cc59084e7748c75532d734bfec02d3d035a0008c
2216
rundll32.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\outlook files\[email protected]
binary
MD5: 3b3e4b8d2f80550106833526168da411
SHA256: a9d9bcfa8b3be4ba8992aeb6d24dfa47e67271e4a1eddd5c1177c569246b8386
2216
rundll32.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\admin\documents\onenote notebooks\personal\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\recorded tv\sample media\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\videos\sample videos\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\pictures\sample pictures\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\public\libraries\RecordedTV.library-ms.5f9na
binary
MD5: 70b3a74eed9f135c5381e579e3340da6
SHA256: 9776da9b5d47ba3e2dc1ddb47f75964fe135f338fc3087108cd04b8763a15af6
2216
rundll32.exe
C:\users\public\music\sample music\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\searches\Indexed Locations.search-ms.5f9na
binary
MD5: a1bd97588a5c630a3ea92d969986fc48
SHA256: 243c9e27066fbc9be5491a531edbb140c70c41a9b2a5a88cbc6958e954f097c1
2216
rundll32.exe
C:\Users\Administrator\Searches\Indexed Locations.search-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\searches\Everywhere.search-ms.5f9na
binary
MD5: 59c2841f8641401fc34a3a3f3bf1ee7d
SHA256: 350f7c81530e80a13c9e4af3d00b8a4ddf319f0057128b4f180e55af80496bbd
2216
rundll32.exe
C:\Users\Administrator\Searches\Everywhere.search-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\administrator\favorites\windows live\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\favorites\msn websites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\favorites\microsoft websites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\administrator\contacts\Administrator.contact.5f9na
binary
MD5: 1e602b7b2eb4a57bc3e0ad654f91a157
SHA256: 40389908a7c3e0ba6e675217fe60217b5b823940d994b615552fb1cdb31ce166
2216
rundll32.exe
C:\users\administrator\favorites\links for united states\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\favorites\links\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Users\Administrator\Contacts\Administrator.contact
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\searches\Microsoft Outlook.searchconnector-ms.5f9na
binary
MD5: 00816687b1ff658963b9dc362f772ef3
SHA256: df9fcde07cff425bf14aa2e08eddf0acaa26b2fa06791b4781594e74bdc3ccfe
2216
rundll32.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\searches\Microsoft OneNote.searchconnector-ms.5f9na
binary
MD5: 5ee259698af10584976e366e6514634a
SHA256: d8d4bd8859399444fef5ce2237c5d2754c524b2e996ba80bdc0a3e7507e9d33a
2216
rundll32.exe
c:\users\admin\searches\Indexed Locations.search-ms.5f9na
binary
MD5: 315e0a179d12918625f6b93c12bc740f
SHA256: 8b34aa86a1abcf2ce1296adf4d234c2a574121af39731cef7a1ea3287ad07f2c
2216
rundll32.exe
C:\Users\admin\Searches\Indexed Locations.search-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\searches\Everywhere.search-ms.5f9na
binary
MD5: 5f603be044cedb73702b59cb69295790
SHA256: 8cbf25e8cab77f1f70c8ca04aaf77935a1b0d226f6204b2bd2453b7c5c06b543
4088
WerFault.exe
C:\Users\admin\AppData\Local\CrashDumps\rundll32.exe.3764.dmp
dmp
MD5: 9df8984e4f4a48d2d0fa35786f27da76
SHA256: 80357e81586c44881de797bda4ae8416cdcb6a008c1df1b0857caff10c9ea7a6
2216
rundll32.exe
c:\users\admin\pictures\understandupdates.png.5f9na
binary
MD5: 3d9b08222fe3f388a607a421e3b10217
SHA256: ac36f581997988bc587da192b175bb12bc04dd196f204cfb529ce18140e69341
2216
rundll32.exe
c:\users\admin\pictures\todaytoys.png.5f9na
binary
MD5: e384cff2a20c69d8b1ad64eeaa9458eb
SHA256: 4fa49002fd3e1841a30c34864883259d5e212296151124164975b9eb961ac049
2216
rundll32.exe
C:\Users\admin\Pictures\understandupdates.png
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Pictures\todaytoys.png
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\pictures\nicesummary.jpg.5f9na
binary
MD5: 60efa14e4dcbca4dca6085fd19c8ab12
SHA256: c31d340b1226d21ba976237fb658baaa21ba5303bb473abe384234e7167b4892
2216
rundll32.exe
c:\users\admin\pictures\provideryoung.jpg.5f9na
binary
MD5: 0a9f70924bfa6e0d2ad02acc0711cb9b
SHA256: 599f2c41d8519bf51daa442a737730354e4007a13d8e36671745f729fa44785d
2216
rundll32.exe
c:\users\admin\pictures\iipolitics.png.5f9na
binary
MD5: 281c33ffa8eb0509cb5e83625cf6179f
SHA256: f803fc71f623fead0dcaef1b22e404f0a60e2b38099fe055cd87a2b3bc3c5c93
2216
rundll32.exe
c:\users\admin\pictures\hourseducation.jpg.5f9na
binary
MD5: 03c9fe2095ca25398ede604e95b144fd
SHA256: 6820330c7298dd108808fa6987bfb71ec50903748c7199e6909df58f07af4823
2216
rundll32.exe
C:\Users\admin\Pictures\iipolitics.png
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Pictures\hourseducation.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\admin\favorites\windows live\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\favorites\msn websites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\favorites\microsoft websites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\favorites\links for united states\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\admin\downloads\yearl.png.5f9na
binary
MD5: 7fd0f6978e83c112e767f2bd267e2894
SHA256: a5d48e28253ea2da05b0fb5e1f346b72d7d7e8c883e89367e0714e52f04065e1
2216
rundll32.exe
C:\users\admin\favorites\links\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\admin\downloads\womanmin.jpg.5f9na
binary
MD5: 21e5d98a7095f2d988eecfa54a92b8d7
SHA256: ca64247882369ec296d39063e72bc4b489f40108bf3966508bdfc95dac3b8bc9
2216
rundll32.exe
c:\users\admin\downloads\showand.png.5f9na
binary
MD5: 68eb5ed05e3d804a1b2366d27069d5b0
SHA256: c67e59e5433f7c55a3f058885dca47a309d3e20a7708418d38a5e38bb7feea15
2216
rundll32.exe
c:\users\admin\downloads\runningcommunities.png.5f9na
binary
MD5: 9ce96cd12551e598b3196c75c8669b74
SHA256: 727c74146901d9d5a2a988b32a1dc27734549af53d2fa2b70963c4575b7ee5df
2216
rundll32.exe
C:\Users\admin\Downloads\showand.png
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Downloads\runningcommunities.png
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\downloads\mmtransport.jpg.5f9na
binary
MD5: 8f379b1f9ec2f197d945201339e0fbd9
SHA256: 6b44af37fb52acfec22c89821d48e12f02854c1041ebbffaafe122924ba41c70
2216
rundll32.exe
C:\Users\admin\Downloads\mmtransport.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\downloads\definedyet.jpg.5f9na
binary
MD5: 78724acff6e9710ec11282fdbca9ed25
SHA256: 5f438b78fc06051e63f1d34ebbb22336eeae526fc3d7f51cd2dade5f09503a36
2216
rundll32.exe
C:\Users\admin\Downloads\definedyet.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\soldcurrency.rtf.5f9na
binary
MD5: b0b7b3ae86838e0b074a8ea743a2822e
SHA256: 5d7b9ca22245f3e162219780b01544a01ebad96ab3b2c4aae58cc3a72d53e7fe
2216
rundll32.exe
C:\Users\admin\Documents\soldcurrency.rtf
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\purchasesuite.rtf.5f9na
binary
MD5: 7fd7ba10294081b5f49115fb16e4a001
SHA256: 083213df7ed498f7a129e250be5befb2b64fd961d210d3ee72a33fdf388bb4bc
2216
rundll32.exe
C:\Users\admin\Documents\purchasesuite.rtf
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\associatesma.rtf.5f9na
gpg
MD5: 54d6867f42e8233538f199854e587bf0
SHA256: 642eb39d62a8eb6c341e13a7af299faea9d3734c1d476ea2b40ac7c52b236d66
2216
rundll32.exe
C:\users\admin\documents\outlook files\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\documents\onenote notebooks\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Users\admin\Documents\associatesma.rtf
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\documents\assessmentproposed.rtf.5f9na
binary
MD5: 51b5c5a461c30a4d24bfe37b7029da08
SHA256: 680f298dc20fe177fc91a183793508d6b5f977156f3946a98378a4456bb77c18
2216
rundll32.exe
C:\Users\admin\Documents\assessmentproposed.rtf
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\desktop\worthbeing.rtf.5f9na
binary
MD5: e54a5cd1d76d59972d1641244cf8a4ec
SHA256: 46ab7b09e0be48c3e7f9e8a9c8c18c023954b9692dc68924aa95b12b3c47b82e
2216
rundll32.exe
c:\users\admin\desktop\savefor.rtf.5f9na
binary
MD5: c6ed21da053a314cfe6bfb7732d9224c
SHA256: 11cb1ca50376fd8bf13b65b80efff65208792c67c815ac397a8800ee83954702
2216
rundll32.exe
c:\users\admin\desktop\requirementstry.png.5f9na
binary
MD5: 696e022df44f4a18100892e04fcacbd0
SHA256: 414037117a18528ab4e45166af3f8b900c6b61d867b129f902c34ca4d63a3577
2216
rundll32.exe
c:\users\admin\desktop\nettopic.rtf.5f9na
binary
MD5: 0c9f8feb34c9612e320a3407fb0e6283
SHA256: 86876942953f1c311e4967d23de709efd542688e6b6210474043d252426b9a7e
2216
rundll32.exe
c:\users\admin\desktop\monitoringbuilding.jpg.5f9na
binary
MD5: 08c948238eeadf561100b86778f57485
SHA256: eac4548569e7f60265516f9b5b62d3812c3196d29d64a49c8d3d6d17a10e07da
2216
rundll32.exe
c:\users\admin\desktop\irelandvan.jpg.5f9na
binary
MD5: e2ce0db729e382985125102e2e86ce8e
SHA256: 43672a99756a9ea0b93831d8f1ca6f5b4b0e3204eb3c604be5205c812f8fb719
2216
rundll32.exe
C:\Users\admin\Desktop\irelandvan.jpg
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\desktop\cityexperience.png.5f9na
binary
MD5: 8be69608a26109160e646a819869ca17
SHA256: d2c7f00268be1844281d28b5b05014b3b42af0cfd2b21329f74a0d6c51fe853a
2216
rundll32.exe
c:\users\admin\contacts\admin.contact.5f9na
binary
MD5: 9af2a33de183c10198af797c3d3d555c
SHA256: b08ca40614376ebc687cdb5dcbcaafcbc5c8252fb8751fa47798a14d05534314
2216
rundll32.exe
C:\Users\admin\Desktop\cityexperience.png
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.5f9na
binary
MD5: 9efc281b1a2a1eab3157a538f9ef36eb
SHA256: a8b1e905344dd24d7de6d8cbec6620b364f7c9a7775a9b0f68392baa4eb40693
2216
rundll32.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\public\music\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\recorded tv\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\videos\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\pictures\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\libraries\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.5f9na
binary
MD5: 1e2eec47a79f71d8084f82f88d7f293a
SHA256: 53ebbfec58463cab0cce3ad3b5c5ffc2d146f3248b961450666cf3eb8264003c
2216
rundll32.exe
C:\users\public\favorites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\public\downloads\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.5f9na
binary
MD5: c2937c7e8e0f247550643b7566ce89a1
SHA256: 4327c2fe22cd6b57223f0325364f8b4e2893802c85aba142b076dedb98e30b7b
2216
rundll32.exe
C:\users\public\documents\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\public\desktop\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\pictures\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\videos\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\saved games\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.5f9na
binary
MD5: 7c307492f898e3b0dff6b499a9643acb
SHA256: 5780ac8df1f20d86f0655623e7d47ee5cab2ae5e6c3cffe965fbc37aee98aba4
2216
rundll32.exe
c:\users\default\NTUSER.DAT.LOG1.5f9na
binary
MD5: cd966ba1d0dd7d350c041cb0525b4a52
SHA256: cdfef00dc568b2bfadd7d474efff16e9b3c2c49943ca23c828636d9d77664622
2216
rundll32.exe
C:\Users\Default\NTUSER.DAT.LOG1
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\default\music\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\links\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\favorites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\documents\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\downloads\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\desktop\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\videos\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.5f9na
binary
MD5: 6c43d05fb95c10ba84563ea423e3804f
SHA256: 3d3fbed18ea1a8d5b1a55ede75ec1dee3ec75534fa08230e9efd5a6b6f9ce3a7
2216
rundll32.exe
C:\users\administrator\searches\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\users\administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.5f9na
binary
MD5: afcdfc1fa377684bacbd05499307f5b7
SHA256: a89bce6628575093ee17990f14a60f7a31d6396ce92653d0e20104439a678c38
2216
rundll32.exe
C:\users\administrator\saved games\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\pictures\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
c:\users\administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.5f9na
binary
MD5: eeb3d934b2cf38ee225185d932e93d6a
SHA256: 443c80c2443e9d3d29b7240653f43c8e0fca98f6f6d49292c51177e5bf85d8ba
2216
rundll32.exe
c:\users\administrator\ntuser.dat.LOG1.5f9na
binary
MD5: 291c43937269311a65e7bea38bcbe425
SHA256: 4e4615db2a34549a8fc69d2d132312106ed699c093599220ccb9a14e2b3d3cf6
2216
rundll32.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Users\Administrator\ntuser.dat.LOG1
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\administrator\music\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\links\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\favorites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\downloads\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\documents\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\desktop\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\contacts\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\searches\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\videos\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\saved games\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\pictures\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
c:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi.5f9na
binary
MD5: f84a3658b14e5ddc36dfb962dd120cd0
SHA256: beac7b3d37e3c5438082a925b389aa022286003b49e3d32cd5b8f58ed734114d
2216
rundll32.exe
c:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.5f9na
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\admin\music\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
––
MD5:  ––
SHA256:  ––
2216
rundll32.exe
C:\users\admin\links\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\downloads\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\documents\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\favorites\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\desktop\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\.oracle_jre_usage\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\contacts\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\administrator\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\public\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\default\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\admin\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\users\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\recovery\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\program files\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\config.msi\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338
2216
rundll32.exe
C:\5f9na-readme.txt
binary
MD5: 28eaf421fbeb4aeb6bf8df1ad5ef46d8
SHA256: 0185718296985a3b5005b4d9f36cccd0c1b6d283c5c8007e7077b32989675338

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.